novicelab.io/nginx
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Set low default values for directives

Browse Source 
Adjust directive values as needed depending on site requirements
e.g client_max_body_size 500M in minio.conf while other sites are limited to 1k
This commit is contained in:
kbrianngeno
2026-03-21 09:35:02 +00:00
parent 8d79a452ee
commit 17a8b6bce2
1 changed files with 91 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
data/nginx.conf
View File

@@ -3,25 +3,36 @@ worker_processes auto;
error_log /var/log/nginx/error.log warn; error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid; pid /var/run/nginx.pid;
# Load modules
include /etc/nginx/modules-enabled/*.conf;
events { events {
worker_connections 1024; worker_connections 1024;
use epoll;
multi_accept on; multi_accept on;
} }
http { http {
# MIME
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
keepalive_timeout 65; charset utf-8;
keepalive_requests 100000; sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
variables_hash_max_size 2048; log_format main '$remote_addr - $remote_user [$time_local] '
server_names_hash_bucket_size 128; '"$request" $status $bytes_sent '
server_tokens off; '"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
resolver 8.8.8.8 valid=30s ipv6=off; log_format cloudflare '$remote_addr - $remote_user [$time_local] "$request" '
resolver_timeout 11s; '$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_cf_ray $http_cf_connecting_ip '
'$http_x_forwarded_for $http_x_forwarded_proto '
'$http_true_client_ip $http_cf_ipcountry '
'$http_cf_visitor $http_cdn_loop';
log_format json_combined escape=json '{' log_format json_combined escape=json '{'
'"method":"$request_method",' '"method":"$request_method",'
@@ -40,49 +51,87 @@ http {
'"timestamp":"$time_iso8601",' '"timestamp":"$time_iso8601",'
'"ip":"$http_x_forwarded_for"' '"ip":"$http_x_forwarded_for"'
'}'; '}';
# log_format VCOMBINED '$host:$server_port ' # log_format VCOMBINED '$host:$server_port '
# '$remote_addr $remote_user [$time_local] ' # '$remote_addr $remote_user [$time_local] '
# '"$request" $status $body_bytes_sent ' # '"$request" $status $body_bytes_sent '
# '"$http_referer" "$http_user_agent"'; # '"$http_referer" "$http_user_agent"';
# track every client request and are vital for traffic analysis and performance monitoring.
access_log /var/log/nginx/access.log json_combined; access_log /var/log/nginx/access.log json_combined;
# capture internal server issues and help with troubleshooting.
error_log /var/log/nginx/error.log debug; error_log /var/log/nginx/error.log debug;
sendfile on; # SSL
tcp_nopush on; # Mozilla Intermediate configuration
tcp_nodelay on; ssl_protocols TLSv1.2 TLSv1.3;
types_hash_max_size 2048; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# Important for MinIO
client_max_body_size 0;
proxy_buffering off;
proxy_request_buffering off;
# Increase the buffer for the request line and headers
client_header_buffer_size 16k;
large_client_header_buffers 4 32k;
# If using Nginx as a proxy to the Harbor core/registry
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
# Add extra headers
add_header X-Frame-Options DENY;
add_header Content-Security-Policy "frame-ancestors 'none'";
# SSL Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; # enable session resumption to improve https performance
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
# ssl_dhparam /etc/nginx/dhparam.pem;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 127.0.0.11 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
# CONTROL RESOURCES AND LIMITS / CONTROLLING BUFFER OVERFLOW ATTACKS
# specify the client request body buffer size; default 8k/16k
client_body_buffer_size 1k;
# sets the headerbuffer size for the request header from client.
# 1K sufficient for most requests.
# Increase this if you have a custom header or a large cookie sent from the client (e.g., wap client).
client_header_buffer_size 1k;
# assigns the maximum accepted body size of client request, indicated by the line Content-Length in the header of request.
# If size is greater the given one, then the client gets the error “Request Entity Too Large” (413).
# Increase this when you are getting file uploads via the POST method. e.g harbor image push, minio uploads
client_max_body_size 1k;
# assigns the maximum number and size of buffers for large headers to read from client request.
# By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K,
# if at the end of working request connection converts to state keep-alive,
# then these buffers are freed. 2x1k will accept 2kB data URI.
# This will also help combat bad bots and DoS attacks.
large_client_header_buffers 4 4k;
client_header_timeout 60;
client_body_timeout 60;
send_timeout 60;
# PROXY BUFFERING
# NGINX stores the response from a server in internal buffers as it comes in,
# and doesn't start sending data to the client until the entire response is buffered
# With proxy_buffering disabled, data received from the server is immediately relayed by NGINX,
# allowing for minimum Time To First Byte (TTFB).
# TLDR - Buffering is needed to ensure that the upstream server can be set free after delivering the response to NGINX,
# and NGINX will proceed to deliver the response to the slow client.
proxy_buffering off; # for a single server setup (SSL termination of Varnish), where no caching is done in NGINX itself
# Defines the amount of memory that NGINX will allocate for each request to the proxied server.
# This small chunk of memory will be used for reading and storing the tiny fraction of response the HTTP headers.
# tuning solves the upstream sent too big header while reading response header from upstream error.
proxy_buffer_size 8k; # defaults: 4k/8k, should be enough for most PHP websites, or adjust as above
# size of buffers, in kilobytes, which can be used for delivering the response to clients
# while it was not fully read from the upstream server.
proxy_busy_buffers_size 16k; # essentially, proxy_buffer_size + 2 small buffers of 4k
# The rule of thumb with this setting is that while we make use of buffering,
# it is best that the complete response from upstream can be held in memory, to avoid disk I/O.
proxy_buffers 8 4k; # Default: 8 4k|8k; should be enough for most PHP websites, adjust as above to get an accurate value
# Time to establish TCP connection
# Increase only if your app has slow endpoints
proxy_connect_timeout 60s;
# Time between successive writes to upstream
proxy_send_timeout 60;
# Time between successive reads from upstream
proxy_read_timeout 60;
# Gzip Settings # Gzip Settings
gzip on; gzip on;
@@ -91,7 +140,7 @@ http {
gzip_comp_level 6; gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
# Include all server configurations # Include all server configurations
include /etc/nginx/conf.d/*.conf; # include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
} }